Oracle and the Common Criteria

Oracle is an active advocate of the Common Criteria. The first vendor to develop and evaluate database protection profiles, Oracle was the first database vendor to be awarded a Common Criteria certificate for its Oracle7, Release 7.2 database server product. 

Overview of the Common Criteria
The International Common Criteria for Information Technology Security Evaluation is a joint effort between North America and the European Union to develop a single set of internationally recognized security criteria. Recently finalized as an ISO standard (number 15408), the Common Criteria supersedes the existing US TCSEC and the European ITSEC. It has been since embraced by most countries around the world as the de facto security evaluation criteria. All documents on the Common Criteria can be downloaded from the Common Criteria Portal.

The Common Criteria awards successfully evaluated products evaluation assurance level (EAL) ratings from EAL1 (lowest) to EAL7 (highest).

The latest Common Criteria version is 3.1 Revision 5 and was released in April 2017.

Evaluation Status
Within the Common Criteria there are two evaluation states:
In Evaluation  and Evaluated.

Common Criteria Evaluated Oracle Products
Queries regarding the versions of guidance documents obtained from Oracle can be raised by sending an email to and if required, a copy of the evaluated version can be provided by email.

Oracle Database

Oracle Servers

Oracle Middleware

Oracle Applications

Java Card

Protection Profiles

Other Products

Oracle Database

Oracle Linux

Oracle Solaris

Oracle Application Server

Oracle AquaLogic

Oracle Business Intelligence

Oracle Enterprise Manager

Oracle Identity and Access Management

Oracle Identity Manager


Oracle Internet Directory

Oracle WebLogic

Oracle Primavera

 Java Card

Database Management Systems

Java Card

Other Oracle Products


Database Management System Protection Profiles
Oracle is the only database vendor who has produced and evaluated database management system protection profiles for CC evaluations. Three profiles have been produced and evaluated for Oracle's database server evaluations. The Database Management System Protection Profile is the most recent Oracle produced Protection Profile and has been evaluated to EAL3.

In June 2006 the U. S. Government Protection Profile Database Management Systems For Basic Robustness Environments version 1.1 was Common Criteria certified.

Protection Profiles Produced and Evaluated for Oracle's Database Server Evaluations


Java Card Protection Profiles
Oracle has created protection profiles for Java Card implementations, to help creators of products based on Java Card technology meet the demand by banks, governments, and other card issuers for security evaluations that comply with a rigorous, widely accepted standard. The latest Java Card Protection Profile is version 3.0, which has been certified at the EAL4+ assurance level by ANSSI, allows Java Card vendors to certify products based on the Java Card Specification, in its 2.2.1, 2.2.2, and 3.0.1 (Classic Edition) versions.

Protection Profiles Produced and Evaluated for Java Card Implementation Evaluations

Superseded Java Card Protection Profiles

Maintenance Report (Superseded)

Maintenance Report (Superseded)